Issuer Identifier is not accepted as Client Assertion audience

Test https://www.certification.openid.net/log-detail.html?log=9SejmckyIgfmjKP

https://tools.ietf.org/html/rfc7523#section-3

The JWT MUST contain an "aud" (audience) claim containing a value that identifies the authorization server as an intended audience. The token endpoint URL of the authorization server MAY be used as a value for an "aud" element to identify the authorization server as an intended audience of the JWT. The authorization server MUST reject any JWT that does not contain its own identity as the intended audience. In the absence of an application profile specifying otherwise, compliant applications MUST compare the audience values using the Simple String Comparison method defined in Section 6.2.1 of RFC 3986 [RFC3986]. As noted in Section 5, the precise strings to be used as the audience for a given authorization server must be configured out of band by the authorization server and the issuer of the JWT.

https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication

aud REQUIRED. Audience. The aud (audience) Claim. Value that identifies the Authorization Server as an intended audience. The Authorization Server MUST verify that it is an intended audience for the token. The Audience SHOULD be the URL of the Authorization Server's Token Endpoint.

It MUST be a value that identifies the authorization server, which the Issuer Identifier certainly is. It MAY (or SHOULD) in OIDC be the token endpoint which is a leftover from when there was no "Issuer Identifier" concept in OAuth in the first place and should imho be fixed by an errata to say SHOULD be the issuer identifier but may also be the token endpoint url (i'll raise a ticket for this in OIDC, edit: https://bitbucket.org/openid/connect/issues/1213/private_key_jwt-client_secret_jwt-audience)

For the sake of all client software developers, don't enforce the SHOULD, allow the Issuer Identifier as per the only MUST from RFC7523. It's a nonsense requirement when you consider all the endpoints that JWT Client Auth assertions may be used at (Token, Introspection, Revocation, PAR, CIBA, Device Authorization Grant).